 |
Previous Next Sheriff CSM™
Oracle JD Edwards EnterpriseOne
When you configure Oracle JD Edwards EnterpriseOne to send log data to Sheriff CSM, you can use the Oracle JD Edwards EnterpriseOne plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin: Plugin Information| Device | Details |
|---|---|
| Vendor | Oracle |
| Device Type | Application |
| Connection Type | Syslog |
| Data Source Name | oracle-jde |
| Data Source ID | 1899 |
Integrating Oracle JD Edwards EnterpriseOne
Before you configure the Oracle JD Edwards EnterpriseOne integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy). To configure Oracle JD Edwards EnterpriseOne to send Syslog messages to Sheriff CSM- Select audit classes to be sent to the audit_syslog plugin, and make the plugin active.
# auditconfig -setplugin audit_syslog \ active p_flags=lo,+as,-ssNote:
- p_flagsaudit classes must be preselected as either system defaults or specified in the audit flags of a user or a rights profile. Records are not collected for a class that is not preselected. You can instruct the audit service to copy some or all of the audit records in the audit queue to the syslog utility. If you record both binary audit data and text summaries, the binary data provides a complete audit record, while the summaries filter the data for real-time review. - Configure the syslog utility by adding an audit.notice entry to the
syslog.conffile. (The entry includes the location of the log file.)# cat /etc/syslog.conf … audit.notice /var/adm/auditlog
- Create the log file.
# touch /var/adm/auditlog
- Set the log file's permissions to 640.
# chmod 640 /var/adm/auditlog
- Check which system-log service instance is running on the system.
# svcs system-log STATE STIME FMRI online Nov_27 svc:/system/system-log:default disabled Nov 27 svc:/system/system-log:rsyslog
- Refresh the configuration information for the active syslog service instance.
# svcadm refresh system/system-log:default
- Refresh the audit service. On refresh, the audit service reads the changes to the audit plugin.
# audit -s
- Specify audit classes for syslog output. In the following example, the syslog utility collects a subset of the preselected audit classes.
# auditconfig -setnaflags lo,na # auditconfig -setflags lo,ss # usermod -K audit_flags=pf:no jdoe # auditconfig -setplugin audit_syslog \ active p_flags=lo,+na,-ss,+pf
The arguments to the auditconfig command instruct the system to collect all login/logout, non-attributable, and change of system state audit records. The audit_syslog plugin entry instructs the syslog utility to collect all logins, successful non-attributable events, and failed changes of system state. The binary utility collects successful and failed calls to the
pfexeccommand. The syslog utility collects successful calls to the pfexec command.Note: Regularly archive the syslog log files. The audit service can generate extensive output. To manage the logs, see the logadm man page.
- To direct syslog audit records to Sheriff CSM, change the audit.notice entry in the syslog.conf file to point to the remote system. In this example, the name of the local system is sys1.1. The remote system is remote1.
sys1.1 # cat /etc/syslog.conf … audit.notice @<IP_address_of_SheriffCSM>
The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.
remote1 # cat /etc/syslog.conf … audit.notice /var/adm/auditlog